Hey Everyone – I just wanted to take a moment to announce to anyone who hasn’t already heard that PsExec, starting with version 2.1, which was released on March 7, 2014, now encrypts all communication between local and remote systems. No more passwords sent in the clear!
In previous versions of PsExec, if you specified credentials with the -u and -p parameters, those credentials would be transferred to the remote systems in clear, unencrypted text. Note that this did NOT apply to cases where Integrated Security was used (remember that with Integrated Security, the security context of the logged on user is used, so no separate credentials are specified). It only applied to the cases where you supplied alternate credentials.
BatchPatch supports the latest PsExec v2.11, so please go ahead and make sure you update your copy. You can download PsExec from http://msdn.microsoft.com/en-us/library/bb897553.aspx
Additional Information About Hubs, Switches, and Encrypted Network Communications
While it’s definitely great news that PsExec now encrypts its network communications, for those of you who might not fully understand the ramifications of what this means, I’ll explain in a bit more detail. Sending passwords over the network in clear text sounds pretty bad, doesn’t it? Well, it’s actually not necessarily all that bad, in reality. It all depends on the details of your network setup. To be clear, I’m not saying that you shouldn’t have *any* concern about clear text credentials on your network. I’m just saying that you should understand exactly what the possible risks are so that you can determine if they are or are not a major concern for your situation. For the most part, while it’s definitely always better to encrypt credentials whenever possible, there are many situations where a clear text credential traversing a LAN is not the end of the world. There are other cases where a clear text credential traversing a LAN should be avoided at all costs.
First let’s clarify the difference between a hub and a switch. This is critical to understanding the security ramifications of sending data over the network without encrypting it.
HUB: A hub is essentially a network repeater. It’s not an “intelligent” device, per se. Any data that is sent from any port on the hub is then repeated to all other ports on the hub. This means that every port on the hub will receive (see) the same data that all the other ports see. Aside from being very inefficient, it also doesn’t provide any degree of security for the data that moves through it.
Imagine a 24-port hub with your computer connected to port 1, your target server connected to port 24, and then 22 other computers connected to the other ports on the hub. If your computer sends data to the target server on port 24, all other computers will see that data. In the event that you send a plain-text password to the target computer, if the machine plugged into port 7, for example, is setup to capture all of the data that it sees on its port, it will actually capture your password, even though your password is intended for the server on port 24.
SWITCH: Unlike a hub, a switch is a smart device. The switch actually learns what devices are connected to each of its ports, and it maintains a table to keep track of this information. When data is sent through the switch, the switch looks at the individual packets, and it forwards each packet only to the port or ports that the data is destined for. Not only is this much more efficient, but it also provides some security for the actual data.
Imagine a 24-port switch with your computer connected to port 1, your target server connected to port 24, and then 22 other computers connected to the other ports on the switch. If your computer sends data to the target server on port 24, NO other computers attached to the switch will see that data. In the event that you send a plain-text password to the target computer, if the machine plugged into port 7, for example, is setup to capture all of the data that it sees on its port, it will NOT capture your password. This is because a switch will send your data directly to port 24 without broadcasting it to all the other ports on the switch.
CONCLUSION: Since it’s now 2014, the very large majority of networks are built on switches, with very little or no use of hubs whatsoever. With regard to credentials being sent across a network in clear text, it’s not necessarily all that big of a deal when you’re dealing with a modern switched network. To be clear, I’m not saying that lack of encryption is good! I’m just saying that in relative terms, it might not be nearly as bad as it sounds. A malicious user wouldn’t simply be able to plug a device into an open port on the switch in order to be able to capture the data sent to all other ports on the switch. We generally recommend using encryption whenever possible. However, the point is that it’s always important to understand the nature of the problem you have so that you can best determine how to solve it or work around it. The clear-text credentials problem on a switched network is, for many network administrators, not necessarily the biggest problem. It depends on the particular network’s physical setup, the security requirements of the company that operates the network, as well as numerous other factors.